More information about the Office Web Components ActiveX vulnerability

More information about the Office Web Components ActiveX vulnerability

We are aware of public attacks on the Internet exploiting a vulnerability in the Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC11). Microsoft has released an advisory with further information available here.

What’s the attacking vector?

This vulnerability could be used for remote code execution in a "browse and get owned" scenario. User interaction is required since a user needs to go to a malicious website that hosts the exploit.

What configurations are at risk?

Neither OWC10 nor OWC11 are installed by default on any Windows version. However, it can be installed along several products:

Please note, there are several scenarios and configurations that mitigate this vulnerability:

Outlook and Outlook Express are not affected because both open HTML mails in a zone where ActiveX is restricted. However, if a user follows a link to a malicious website, attackers could exploit this vulnerability.

ActiveX controls will not load in the Internet Zone on Windows Server 2003 or Windows Server 2008 if a user uses default settings when browsing, due to the Enhanced Security Configuration (ESC).

If OWC is not installed on the computer and the user visits a page hosting the attack then Internet Explorer 7 or 8 will show the gold bar prompt requesting permission to install the ActiveX.

How do I check whether I am at risk?

You can check whether a workstation is vulnerable to this attack by using the Classid.cs tool we published in a previous blog post.

By default, if the control is installed, it can be instantiated and scripted as seen by the tool output below: